A survey of professionals shows that many boards do not make privacy one of their organization’s priorities.
As per the Annual Status of Privacy Survey of the members of ISACA (formerly known as the Information Systems Audit and Control Association) – released in conjunction with Data Privacy Week – 22 percent feel their boards don’t place a priority on privacy, with a further 20 percent saying they don’t know That their boards adequately prioritize confidentiality. Fifty-five percent believe privacy is a priority with their board.
“It’s not entirely surprising,” Safia Kazi, ISACA head for privacy practices, said in an interview. “I think a lot of people see privacy as a cost center. It’s something that probably slows down a project. You get a new program or resource and you’re like ‘is it GDPR compliant? do we have to start over [with a new privacy assessment], I guess that’s where some of it comes from. The other thing I noticed is that 20 percent of our respondents said they don’t know whether their board prioritizes privacy. He can talk to the board which may not be communicative about it (secrecy).
He said the 55 percent who believe their boards prioritize privacy is slightly higher than the 2021 survey. “I think in general we are headed in the right direction, but there is some way to go.”
Survey conducted in the fourth quarter of 2022 looked at responses from 1,890 ISACA members who currently work in data privacy or have detailed knowledge of the data privacy function within their organization, asked questions on Use of privacy staffing, budgets, program trends, awareness training and violations, and privacy by design.
Among the results, Kazi said, is that organizations that practice privacy by design are more likely to have a board that adequately prioritizes privacy and a larger number of employees setting and enforcing privacy policies. dedicated to.
“Vows can really start at the top,” she said. “When you don’t have that support, it can be really hard to get the resources you need.”
Another notable finding is that 31 percent of respondents said their organization does not separate privacy and security training for employees. “It was a little disappointing,” Kazi said. “I think the problem is a lot of people [in management] Take security training and think, ‘privacy is close enough. How does it matter?’ My concern is, if you’re only teaching people security and not privacy, you’re not really building trust with customers. If the organization is collecting too much of someone’s personal information, it is not necessarily a security issue, but it will be a privacy issue.
“But I also want to point out that organizations have so much that they have to do. You can’t take up everyone’s time with a thousand security training and privacy training meetings. My hope is to combine privacy and security training. organizations have a specific call-out to privacy and give it the necessary attention and time.
“One trend that makes me optimistic is that it looks like privacy is doing a little better than it has in years past,” she said of other survey results. “Privacy teams are slightly larger than last year and last year. In addition, we are seeing members are less likely to say they were short staffed this year compared to last year. That said, Staff shortage is still a challenge, filling open privacy positions is a big challenge.”
Overall survey results show that, “for the most part,” enterprises feel privacy is not taking off, he said, adding that many organizations are trying to make sure privacy teams have the resources they need. they are needed.
In other survey results, 42 percent of respondents said their privacy budget is low, and only 36 percent believe it is properly funded. Only a third of respondents (34 percent) indicated that their privacy budget would increase in 2023.
ISACA provides certification for information systems governance, control, risk, security, audit/assurance and business and cyber security professionals.
To read the survey, click here. registration required.
